Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

USCYBERCOM Shares More North Korean Malware Samples

The U.S. Cyber Command (USCYBERCOM) has uploaded new malware samples to VirusTotal, all of which the Command has attributed to the North Korea-linked threat group Lazarus.

The U.S. Cyber Command (USCYBERCOM) has uploaded new malware samples to VirusTotal, all of which the Command has attributed to the North Korea-linked threat group Lazarus.

The samples were added to the scanning engine as part of a project that USCYBERCOM’s Cyber National Mission Force (CNMF) that kicked off in November 2018. Previously released malicious files have  been attributed to state-sponsored hacking groups operating out of North Korea, Russia, and Iran

In September 2019, 11 malware samples that were shared to the popular malware scanning engine were attributed to Lazarus, a cluster of activity that the U.S. refers to as “Hidden Cobra

USCYBERCOM has now added 6 new samples linked to the same government-backed hacking group. Two of the new samples appear to have been created in the summer of 2019, two in February 2018, one in September 2017, and one in October 2016. 

The malware, USCYBERCOM says, is currently used for phishing and remote access, to facilitate the hacking group’s illegal activities, steal funds, and evade sanctions.

Given that some of these samples are rather old, they are already broadly detected by the anti-malware companies in VirusTotal. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has published Malware Analysis Reports for each of these samples

Called ARTFULPIE, the first piece of malware is an implant designed to fetch a DLL from a hardcoded URL, load it in-memory, and execute it. The second is HOTCROISSANT, a full-featured beaconing implant that can fingerprint the system, download and upload files, execute processes and commands, and capture screenshots. 

CROWDEDFLOUNDER can unpack and execute a Remote Access Trojan (RAT) binary in memory and can listen as a proxy for commands or connect to a remote server to receive commands. SLICKSHOES is a beaconing implant that can harvest system information, download/upload files, execute commands, and take screenshots. 

Next in line is BISTROMATH, a full-featured RAT that can gather system data, upload/download files, run commands, and monitor the microphone, clipboard, and the screen. Finally, BUFFETLINE is a full-featured beaconing implant that can download, upload, delete, and execute files; create and remove processes; perform targeted system enumeration; and enable Windows CLI access. 

In addition to these reports, CISA updated their report on the HOPLIGHT remote access Trojan (RAT), a threat that some anti-malware companies on VirusTotal detect as a variant of the NukeSped RAT due to code similarities.

Other newly released samples have also been detected as variants of NukeSped. Given the extent of the malicious operations associated with Hidden Cobra, it’s unsurprising that there are code similarities that link the numerous malware variants used by the group.

Related: U.S. Cyber Command Adds North Korean Malware Samples to VirusTotal

Related: Researchers Analyze North Korea-Linked NukeSped RAT

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...